Slashdot Mirror
Microsoft Spurned Researchers Release 0-Day
nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."
Perhaps being a little more... Diplomatic would be a good idea when dealing with the(sometimes rather ego-driven) people who know how to hack your box...
Happy days for us black hats!
No wonder the government wants an off switch...
For justice, we must go to Don Corleone
It seems that people are upset with Microsoft because 1) they have software vulnerabilities in their OS and 2) they do too little too late to fix these vulnerabilities before hackers start exploiting them.
This group cannot control one of these points (that Microsoft builds vulnerabilities into their OS). However, they can control the second point, by giving Microsoft advance notice and time to fix the vulnerabilities well before disclosing the vulnerabilities to the public.
It seems a bit hypocritical to me to accuse Microsoft of doing too little, too late to fix vulnerabilities, and then release unfixed vulnerabilities to the public.
I can't stand the righteousness of these guys. Hope their grandmothers get hacked because they love shouting out vulnerabilities.
MS has to test stuff to make sure the fix doesn't make things worse. Decisions get made, people don't like the outcome. But recklessly announcing security holes is just dumb, and isn't helping anyone.
fail.
FTA: Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX
;-)
If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc- disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join
I wonder how they are going to determine *that*......
Just what we need: a one-stop shop for 0-day exploit code. Way to improve security, guys! Right on! Stick it to The Man! And by that, I mean the man (or woman) in the next cubical, or next door, or down the street, or....
I am all for responsible disclosure of vulnerabilities - secrecy does not equal security, and "let's not talk about it and hope nobody notices" is never an appropriate response to vulnerabilities. But responsible disclosure includes working with the vendor, giving them the full data and an opportunity to correct prior to full public disclosure.
If MS is giving researchers the cold shoulder or worse in response to vulnerabilities that are responsibly disclosed to them, that's shame on Microsoft. But to my view, jumping to public disclosure is not the appropriate response.
The first thing that came to my mind was: "What a group of immature jerks."
Such unprofessional things were not done, at least not openly. For over 1000 months, the professionals were the guardians of peace and justice in the old businesses. Before the dark times. Before the internet.
This is the Ormandy thing all over again. I assume these "researchers" have had jobs? Is Computer Science so much easier than engineering that you can just shift manpower to cover the latest issue?
I'm an engineer, and unless the problem is loss-of-life catastrophic all problems or issues go through the same chain of actions. Reported issue, verify issue, bring issue before supervisor, supervisor and management decide if it's worth the money to fix, project assigned, problem solved, rolled into production or new line established, new line or new production staff is trained, actual product may hit the market in a few months (for larger industries I imagine it goes to years...).
If I have a problem that no one knows exists and that will affect .01% of my customers, and I have another problem that no one knows about and it will affect perhaps 1%. Unless that .01% problem is apocalyptic, it's getting pushed down the line until the 1% problem is solved. It's not laziness, it's not poor planning, it's prioritization. It's something every good engineer does because you simply can't solve every problem at once.
I hope these people eventually get real jobs.
Use responsible disclosure and not only Microsoft, but above all the users of Windows will like you.
Expose them to an unpatched vulnerability and they will love you, uh, less.
for those still running IIS5
get URLScan (if you haven't already)
http://technet.microsoft.com/en-us/security/cc242650.aspx
and add this to your urlscan.ini file in the [DenyUrlSequences] section
INDEX_ALLOCATION
and the attitude of microsoft is parental and dismissive, cold, aloof, and arrogant
and so the attitudes match each other perfectly
the question is: what would you do if you attempted to do the responsible thing and were rebuffed and in fact punished for the effort?
if there is no reward for responsible behavior, don't act surprised when irresponsible behavior prevails
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The term 0-day is used correctly in the /. summary! Who would have thought!
well, we must first distinguish vendor punishment from harming the public. To me there is no excuse when any ordinary hard working (or whatever) internet user (or admin or)... gets harmed by a released 0day. I totally understand the point of these actions but I definitely cannot accept the consequences...
They tried to do it the "right" way, and that failed miserably. So what exactly do you suggest they do, STFU and give Microsoft (along with black hats) the right of way?
Microsoft wants holes in their code to remain secret so they won't have to lift a finger or spend a dime. Black hats want the holes to remain secret, so they have a chance to exploit them. By keeping it a secret, you're helping microsoft, and you're helping the black hats -- that's a net loss.
Its one of my favorite post. Thanks for nice information.
Based on what I've read, this was done intentionally and with malicious intent on the behalf of the researchers in retaliation for the negative attitude Microsoft showed toward Tavis Ormany. In Tavis' case, I think Microsoft simply had some negative words to say, but in this case, Microsoft can claim that these security researchers intended to damage them based on the their threats "that they will continue to do so in response to how Microsoft treated Tavis Ormany."
It is clear to me that the researchers are either a) little kids or b) acting like little kids and I hope Microsoft and the rest of the security community comes down hard on them to prevent further retaliation tactics that hurt users more then the companies they are attempting to damage.
if i had the expertise and time i would do it that way, if i found vulnerabilities in MS software i would publicly reveal them anonymously on lots of websites, wikileaks, craigslist, slashdot, digg, reddit & etc... give it as much exposure as possible as quickly as possible.
Politics is Treachery, Religion is Brainwashing
The real bad guys most certainly knows about these security issues long before they becomes common knowledge. Responsible would be Microsoft patching their stuff as soon as they learn about an exploit instead of waiting for the known ones to be spread in the wild.
Responsible disclosure is just Microsofts way of trying to get people to shut up about their crappy security. If Microsoft was the least interested in security they would care more about real security than UAC (put the blame on the user) and playing statistics by making more secure products, hiding patches and grouping patches etc.
HTTP/1.1 400
what prevents a security flaw from getting fixed? $$$
What causes security flaws to be released ? $$$
Assuming that is mostly accurate, I would then postulate that microsoft protects their profits at the expense of an acceptable amount of security flaws (among a bunch of other stuff)
To argue pro MS on their behavior wrt idenfitying security flaws in their system, given the above (if the above were true that is), would be akin to this:
"Please do not diminish Microsofts profits just to increase end users security. "
If you agree with the restatement of the counter argument, then I have to disagree with you. If the restatement is incorrect, then one of the assumptions must be wrong - which I believe they are not.
At this point then, my opinion is, lets not worry about Microsoft's profits, lets instead worry about the end users and Microsoft's ability to serve their end users well. If you see that the profits from MS are getting spent on these wonderful things and believe that the profits are more valuable then this whole "computing" stuff - then perhaps I might agree with you - go ahead and make a case for me to read. If I were convinced, then I probably would conclude that MSRC are in the wrong.
By revealing a flaw is the MSRC putting end users at risk?
By diagnosing a terminally ill cancer patient, does the doctor kill the cancer patient?
Maybe, so - but even if that were the case - should we worry about removing the doctors or worry about curing cancer?
Come on, any company that is informed of a bug will and should not issue a fix for it as soon as they have a fix, these fixes need to be tested and verified in lots of different test environments and this takes time. I'm sure they have a process for new issues that come to light, although I think I read 60-90 days, this may be a little long, is this the same for hot fixes?, still not knowing the amount of testing that is done I'm not sure .The Google muppet that got all offended over Microsoft not fixing the security hole as quick as he would have liked and so made it public was just plain stupid, and this MSRC group will be no different.
Thanks to MSRC now every script kiddie will be logging on for the latest info to do more harm than good. Why don't MSRC just inform Microsoft of the things they find and not make it public until it’s been fixed? oo but wait, that’s the whole point, they want to be counterproductive, I wonder how many companies/users will be on the ill end of MSRC released code! and should they be held liable for damages incurred because of it!
Basic techniques employed by Microsoft are sometimes used by other people writing Operating Systems!
It's not just about saying "hey Microsoft, you've got a vulnerability". For researchers, it's about discovering what techniques have what vulnerabilities.
Microsoft Spurned Researchers Release 0-Day
I get about as far as "Microsoft Spurned Researchers" and then the rest of it doesn't make any sense. Like you need a conjunction or something after "Researchers"...
Or, you know, hyphenate "Microsoft-Spurned" so the damn headline makes sense.
Bow-ties are cool.
Back in the mid-1970s, several of the system support staff at Motorola discovered a relatively simple way to crack system security on the Xerox CP-V timesharing system. Through a simple programming strategy, it was possible for a user program to trick the system into running a portion of the program in 'master mode' (supervisor state), in which memory protection does not apply. The program could then poke a large value into its 'privilege level' byte (normally write-protected) and could then proceed to bypass all levels of security within the file-management system, patch the system monitor, and do numerous other interesting things. In short, the barn door was wide open.
Motorola quite properly reported this problem to Xerox via an official 'level 1 SIDR' (a bug report with an intended urgency of 'needs to be fixed yesterday'). Because the text of each SIDR was entered into a database that could be viewed by quite a number of people, Motorola followed the approved procedure: they simply reported the problem as 'Security SIDR', and attached all of the necessary documentation, ways-to-reproduce, etc.
The CP-V people at Xerox sat on their thumbs; they either didn't realize the severity of the problem, or didn't assign the necessary operating-system-staff resources to develop and distribute an official patch.
Months passed. The Motorola guys pestered their Xerox field-support rep, to no avail. Finally they decided to take direct action, to demonstrate to Xerox management just how easily the system could be cracked and just how thoroughly the security safeguards could be subverted.
They dug around in the operating-system listings and devised a thoroughly devilish set of patches. These patches were then incorporated into a pair of programs called 'Robin Hood' and 'Friar Tuck'. Robin Hood and Friar Tuck were designed to run as 'ghost jobs' (daemons, in Unix terminology); they would use the existing loophole to subvert system security, install the necessary patches, and then keep an eye on one another's statuses in order to keep the system operator (in effect, the superuser) from aborting them.
One fine day, the system operator on the main CP-V software development system in El Segundo was surprised by a number of unusual phenomena. These included the following:
Naturally, the operator called in the operating-system developers. They found the bandit ghost jobs running, and killed them... and were once again surprised. When Robin Hood was gunned, the following sequence of events took place:
Each ghost-job would detect the fact that the other had been killed, and would start a new
It seems like the lesson has to be relearned periodically.
This same debate reappears like sunspots. Full Disclosure v. Responsible Disclosure. Black/Gray/White hats.
The funny part here is that Microsoft itself seems to have forgotten how the script goes.
MS, Sun, Oracle, Cisco, HP, they've all been through this cycle. You'd think they'd figure out that mission critical software requires a responsive, competent security response team. And they do figure it out. It just seems that the lesson has to be relearned every so often - prying the PRarnicles off the hull, so to speak.
I forget what 8 was for.
We need an irrevokeable authenticated delayed publication mechanism: some way to put a GPG-signed document into a pipeline such that it will be published at the end of X days no matter what anyone (including the author) does. Researchers could then send their discoveries to vendors with the notation "This vulnerability will come out of the IADP system in sixty days". Browbeating them for more time would be pointless and their priority of discovery would be secure.
There are no doubt many other uses for such a system as well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
1. You could auto release 0day; never contact the fella like Microsoft to see if they'll fix it. You are left with lots of known insecure machines. 2. You could give microsoft all the info and tell them to fix it and never release info to public. Microsoft never fixes these. You are left with a public who is insecure and doesnt know. Best Practice is both. Contact Microsoft get them to sign NDA that expires in ~1 month(or whatever is plenty of time to fix the bug relative to severity). Give them all the info they need to fix it. Tell them that X date full disclosure so fix it or be in bad PR situation of explaining why they didnt fix it in that time period given. MS really really is going to fix it then.
This is a hot-button issue where side A tries to convince side B they're wrong, and side B tries to convince side A of same.
There are benefits and drawbacks of full disclosure. There are benefits and drawbacks of responsible disclosure. There will never be a consensus.
I'm not trying to say it's not worth trying, but when doing a Google search for "full disclosure" and "responsible disclosure" on slashdot.org comes up with:
All on the first page . . . all from 2010 . . . All as threads with this debate going on . . .
Hasn't the deceased equine been flogged enough?
I believe there are times when full disclosure is better, especially when a company has shown a track record of not following through. I believe there are times when responsible disclosure is better. I don't think it's an absolute and this is not the only criteria I use when trying to decide which one applies to a scenario. But when the debate keeps going on over and over and over and over again . . . perhaps there should be a "Full Disclosure vs Responsible Disclosure" classification for Slashdot.
I wouldn't even notify Microsoft... I'd just release it and laugh a hearty pirate laugh. Microsoft should count themselves lucky I have no haxor skills and the people that do give them any notice in the first place.
I can attest to the fact that we are by and large utterly incompetent when handling reports of hacks. as an example we had never seen them in our products before and only recently became aware of several nasty buffer overflows in our flagship product. the 'hat' that found the problems was based out of quebec and didnt speak english, our corporate office having first been informed of the issue immediately declared their intent to prosecute the perceived hacker. we had a generous 5 days to respond as well before he disclosed
11 days into the fiasco we still had no team, we had no direction and we were scrambling to find the firmware and software our products used that was vulnerable to notify our customers, most of them DoD and government entities. we strung this poor schmuck along for 15 days total before we began publishing the exploit. we even initially toyed with the idea of withholding his name in the report but thank god all agreed that would be not only rude, but very dangerous since he was still in possession of a few flaws we had not found.
we sent an NDA, we sent legal agreements, we came back very empty handed
Good people go to bed earlier.
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/GQXtgS2QIkI/Prince-Says-Internet-Is-Over There. Now there's nothing to worry about. Feel better?
After exhaustive research and excrutiating analysis, I've determined that Bubba is, in fact, everywhere.
I think what Tavis Ormandy needs to remember is that Google is also in the business of creating software. I do wonder what would happen should such a 0-day exploit be found in Andriod or Chrome (OS). Would we expect that the researcher(s) who discover the exploit should also give Google 5 days to issue a patch before publishing?
Basically what I expect is should we ever see Google not get their patches out within the 5 days, then we should hold them to the same shame as MS.
Perhaps these researchers can create and release a product of their own. If they're so damn proficient, develop a better mouse trap. Just pointing out the problems w/ the most popular mousetrap is helpful, but shouldn't bring the adulation these guys want.
Let's see...Silverlight, Zune, Kin, blah blah blah...how about focusing more on things that need to be fixed before trying to turn yet another dollar and whining that there isn't enough manpower or time for security. Grab the people on those other teams and put them to work on the critical stuff. It's not like Microsoft doesn't have the money or hasn't had the time or manpower. Come on. Really. If you read the article about the 0-day exploit that Microsoft has been so recently up in arms about, it relates to Windows XP. That dates back quite a long time ago to not have known about the problems and get them fixed. That's simply dragging your feet, 'til someone notices. Good on the researcher for putting it out there.
....would bitch even more if they fixed a reported to them, 0-day, within a week, and it broke a bunch of systems because they didn't have all the time to regression test against all your old shit, running pirated versions of their OS...
I would love for someone to tell me the security code to someone's house, or several houses. I am all for telling company x that they have a flawed product and then saying that I will go public with it in a reasonable amount of time in order to let company x fix the flaw. However, I am reading about all the glory associated with finding a flaw and that waiting to publish might let some other "security" researcher publish the flaw before me; why is cred the overriding motivation? I just don't get why you would tell a criminal what your friends house code is before he can fix the problem...that is what is going on here.
So ... what exactly is an "inferred employer" when it's at home? :-)
As I understand it, Tavis is indeed employed by Google. I'm hard pressed to see how Microsoft can be blamed for mentioning this fact.
Suppose a MS employee were to "fully disclose" a vulnerability in Firefox. Does anybody suppose that Microsoft would escape mention, even if (s)he was acting in a private capacity at the time?
Like when they brought out Windows 95 - their search function would only find file types produced from Microsoft software......
Like "Oh fucking Duhh!"
The company is run by stupid cunts who were idiots to begin with.
.
Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.
"Except that in this case it sounds like the entire point of this MSRC organization is to hide the identity of the guy who found the exploit in the first place"
`Pushed into action by the reception to the flaw disclosed by Tavis Ormandy '
This sounds like a good way to obtain the IP addresses of anyone who downloads exploit information. What is MSRC's log retention policy?
Can someone add a hyphen between the first two words, please? The headline is difficult to parse without it.
These security holes have been there for years.. who knows how many people actually know about them.. Security through obscurity is no way to protect the system. Holes should be patched ASAP. I've found several holes myself, in both browsers and websites, and I've always sent it to the companies first. Many jump right on it and a fix is out in days (Google was one of these)... Others, sat on it for months and ignored me... until I published the exploit, which they then quickly patched it. The fact is, publishing an exploit will quicken the patch time for the slow companies.
-- these are only opinions and they might not be mine.
http://slashdot.org/comments.pl?sid=1687452&threshold=-1&commentsort=0&mode=thread&pid=32587238
Take a read, as well as the comment below it. The actual MS mgt. figure posts here as Foredecker, and he has been aware of and acknowledged the fact that there is something wrong with Microsoft's IP stack in HOSTS files, hardcodes in pagefile.sys locations, and the DNS Clientside caching service. Has this been fixed? No. When was the MS manager notified of it?? Almost a year ago, and nothing was done, even though said MS mgt. person said it would be looked into by he.